I'm new to php programming and I wrote a code but I'm not sure whether or not I'm opening a door to hackers realy.I use Prestashop, a open source cart to manage a online store. Because I want quickly access and alter its database, I created a .php file seems to do the trick. But how secure is it? In order to make it secure I used the login.php, and index.php files from the opensource cart; and if the e-mail and pass are ok, then it redirects to my own php file.The user is redirected to a login.php file which suppose to be safe since is written by Prestashop; then the login.php redirects the user to index.php. The following is the index.php file

you only want errors on in dev environment. in real world they can communicate info you do not want shared, including table names etc. if given the correct input. Also, this may sound nitpicky, but personally i believe that 'SELECT *' is bad form in general. I typically prefer explicitly named fields in select statements. In cases where you have multiple tables linked, it can really cut down on the size of the result set. You're also implicitly trusting the form posting your data by not verifying even as much as the referer or the post fields.

1) Oh.. yap, I set display errors so I can debug it but forgot to deactivate it.2) if I want to select a row in a table and I know the one element of that row (e.g. id_product then this is what I've been taught to write: mysql_query("SELECT * FROM ps_product WHERE id_product=$id_prod");I don't understand how I can do it differently; can you give me a example?3) Before being able to enter data in the form, the user has to log in. I was thinking this should prevent other people from accessing the form. Then I limit the input to 13 characters long. I'm not sure how else I should protect. Can you give me an example code?

the asterisk is a wild card used in queries to say 'all fields'. It is better to be deliberate with your requests, like

SELECT field1,field2,field3 FROM atable WHERE criteria=true

you also want to escape your strings etc. think about if $EAN contained the value "0; DROP TABLE ps_product;" your query to return all rows just turned into 2 queries where the first returns no results, and the second discards the table.If you're trying to be security minded, always assume that every user wants to break or compromise your database, pages, etc.

Ooo, I see now. Ok, I will specify the fields I want.I am limiting the input to 13 characters (using: maxlength="13") and I will also add a "is_numeric()" check to see that the entered value is a number.

I assume that if I do this (together with turning error reporting off) I shouldn't be afraid to put the script live.If anybody does have any other suggestions please tell me know